10 ways to recharge cybersecurity ops centers
Connecting state and local government leaders
Mitre Corp. cybersecurity engineer Carson Zimmerman spells out ways government security operations centers can regain advantages against increasingly sophisticated adversaries.
The deck is stacked against defenders of government networks, at least those who join the battle from one of a growing number of cybersecurity operations centers (CSOCs), designed to concentrate as much technology and expertise as possible in the 24/7 effort to protect the public and its institutions.
At least that’s the view of Carson Zimmerman, principal cybersecurity engineer at Mitre Corp., whose new book, Ten Strategies of a World Class Cybersecurity Operations Center, suggests ways government and industry teams that manage CSCOs might reset the odds against their cyber antagonists.
Despite having “a vast array of sophisticated detection and prevention technologies, a virtual sea of cyber intelligence reporting and access to a rapidly expanding workforce of talented IT professionals … most CSOCs continue to fall short in keeping the adversary – even the unsophisticated one – out of the enterprise,” Zimmerman writes.
Beyond the resources advantage, many CSOCs “expend more energy battling politics and personnel issues than they do identifying and responding to cyber attacks,” writes Zimmerman. “All too often, CSOCs are set up and operate with a focus on technology, without adequately addressing people and process issues.”
Zimmerman says the premise of the book is that a balanced approach between technology and tactics would be more effective. The strategies are:
1. Consolidate functions of incident monitoring, detection, response, coordination and computer network defense engineering, operation, and maintenance under one organization: the CSOC.
2. Achieve balance between size and visibility/agility so that the CSOC can execute its mission effectively.
3. Give the CSOC the authority to do its job through effective organizational placement and appropriate policies and procedures.
4. Focus on a few activities that the CSOC practices well and avoid the ones it cannot or should not do.
5. Favor staff quality over quantity, employing professionals who are passionate about their jobs, provide a balance of soft and hard skills and pursue opportunities for growth.
6. Realize the full potential of each technology through careful investment and keen awareness of – and compensation for – each tool’s limitations.
7. Exercise great care in the placement of sensors and collection of data, maximizing signal and minimizing noise.
8. Carefully protect CSOC systems, infrastructure and data while providing transparency and effective communication with constituents.
9. Be a sophisticated consumer and producer of cyber threat intelligence, by creating and trading in cyber threat reporting, incident tips and signatures with other CSOCs.
10. Respond to incidents in a calm, calculated and professional manner.
New guidance is needed, writes Zimmerman, considering the cybersecurity front has changed significantly since the early to mid 2000s, when many reference materials on CSOCs were first published.
Those developments include the rise of the persistent threat; a movement toward IT consolidation and cloud-based computing; the exponential growth in mobile devices, obscuring where enterprise borders truly lie; and a transition from network-based buffer overflow attacks to client-side attacks.
Gary Gagnon, MITRE senior vice president and chief security officer, called the security operations center vital to the entire information security defense of any organization.
"If it's not effective and agile, the organization leaves itself vulnerable to intrusion,” he said, “We must evolve to an active, threat-based defense that balances mitigation with detection and response. The CSOC … is at the heart of this strategy."